2. STUXNETStuxnet is the first weapon everbuild by man kind which is built ofentirely Computer Code.Stuxnet is a computer worm.Stuxnet is a large, complex piece ofmalware with many differentcomponents and functionalities.Stuxnet is a threat that wasprimarily written to target anindustrial con-trol system or setof similar systems. Industrialcontrol systems are used in gaspipelines and power plants.
3. STUXNETIts final goal is to reprogram industrial control systems (ICS) bymodifying code on programmable logic controllers (PLCs) tomake them work in a manner the attacker in-tended and to hidethose changes from the operator of the equipment.In order to achieve this goal the creators amassed a vast array ofcom-ponents to increase their chances of success. This includeszero-day exploits, a Windows rootkit, the first ever PLCrootkit, antivirus evasion techniques, complex processinjection and hooking code, network infection routines, peer-to-peer updates, and a command and control interface. Theworm initially spreads indiscriminately, but includes a highlyspecialized malware payload that is designed to target onlySiemens supervisory control and data acquisition (SCADA)systems that are configured to control and monitor specificindustrial processes. Different variants of Stuxnet targeted fiveIranian organizations, with the probable target widely suspected tobe uranium enrichment infrastructure
4. STUXNETThe worm was at first identified by the security companyVirusBlokAda in mid-June 2010.Kaspersky Lab experts at first estimated that Stuxnet startedspreading around March or April 2010, but the first variant of theworm appeared in June 2009. The second variant, with substantialimprovements, appeared in March 2010.In the United Kingdom on 25 November 2010, Sky News reportedthat it had received information from an anonymous source at anunidentified IT security organization that Stuxnet, or a variation of theworm, had been traded on the black market.
5. Infection StatisticsInfected Hosts The follow-ing graph shows the number of unique infected hosts by country:
6. Geographic Distribution of Infections
7. Percentage of Stuxnet infected Hosts with Siemens Software installed
8. Stuxnet ArchitectureThe heart of Stuxnet consists of a large .dll file that contains manydifferent exports and resources. In addition to the large .dll file, Stuxnetalso contains two encrypted configuration blocks.The dropper component of Stuxnet is a wrapper program that contains allof the above components stored inside itself in a section name “stub”.A pointer to the original stub section is passed to this export as aparameter. This export in turn will extract the .dll file from the stubsection, which was passed as a parameter, map it into memory and callanother different export from inside the mapped .dll file. The pointer tothe original stub section is again passed as a parameter. This occurscontinuously throughout the execution of the threat, so the original stubsection is continuously passed around between different processes andfunctions as a parameter to the main payload. In this way every layer ofthe threat always has access to the main .dll and the configuration blocks.
9. OperationUnlike most malware, Stuxnet does little harm to computers andnetworks that do not meet specific configuration requirements; "Theattackers took great care to make sure that only their designated targetswere hit...While the worm is promiscuous, it makes itself inert if Siemens softwareis not found on infected computers, and contains safeguards to preventeach infected computer from spreading the worm to more than threeothers, and to erase itself on 24 June 2012.For its targets, Stuxnet contains, among other things, code for a man-in-the-middle attack that fakes industrial process control sensor signals soan infected system does not shut down due to abnormal behavior.
10. OperationThe worm consists of a layered attack against three differentsystems:•The Windows operating system,•Siemens PCS 7, WinCC and STEP7 industrial softwareapplications that run on Windows and•One or more Siemens S7 PLCs.
11. Windows infectionStuxnet attacked Windows systems using an unprecedented four zero-dayattacks. It is initially spread using infected removable drives such as USB flashdrives, and then uses other exploits and techniques such as peer-to-peer RPC toinfect and update other computers inside private networks that are not directlyconnected to the Internet. Stuxnet is unusually large at half a megabyte in size, andwritten in several different programming languages (including C and C++) whichis also irregular for malware.The malware has both user-mode and kernel-mode rootkit capability underWindows, and its device drivers have been digitally signed with the private keysof two certificates that were stolen from separate companies, JMicron andRealtek, that are both located at Hsinchu Science Park in Taiwan. The driversigning helped it install kernel-mode rootkit drivers successfully and thereforeremain undetected for a relatively long period of time.Two websites in Denmark and Malaysia were configured as command andcontrol servers for the malware, allowing it to be updated, and for industrialespionage to be conducted by uploading information.
12. Software infectionOnce installed on a Windows system Stuxnet infects project files belonging toSiemens WinCC/PCS 7 SCADA control software (Step 7), and subverts a keycommunication library of WinCC called s7otbxdx.dll. Doing so interceptscommunications between the WinCC software running under Windows and thetarget Siemens PLC devices that the software is able to configure and programwhen the two are connected via a data cable. In this way, the malware is able toinstall itself on PLC devices unnoticed, and subsequently to mask its presencefrom WinCC if the control software attempts to read an infected block ofmemory from the PLC system. The malware furthermore used a zero-day exploitin the WinCC/SCADA database software in the form of a hard-codeddatabase password.
13. Overview of normal communications between Step 7 and a Siemens PLC
14. Overview of Stuxnet hijacking communication between Step 7 software and a Siemens PLC
15. PLC infectionThe entirety of the Stuxnet code has not yet been understood, but its payloadtargets only those SCADA configurations that meet criteria that it isprogrammed to identify. Stuxnet requires specific slave variable-frequencydrives (frequency converter drives) to be attached to the targeted SiemensS7-300 system and its associated modules. It only attacks those PLC systemswith variable-frequency drives from two specific vendors: Vacon based inFinland and Fararo Paya based in Iran. Furthermore, it monitors thefrequency of the attached motors, and only attacks systems that spin between807 Hz and 1210 Hz. The industrial applications of motors with theseparameters are diverse, and may include pumps or gas centrifuges.Stuxnet installs malware into memory block DB890 of the PLC thatmonitors the Profibus messaging bus of the system. When certain criteria aremet, it periodically modifies the frequency to 1410 Hz and then to 2 Hz andthen to 1064 Hz, and thus affects the operation of the connected motors bychanging their rotational speed. It also installs a rootkit—the first suchdocumented case on this platform—that hides the malware on the system andmasks the changes in rotational speed from monitoring systems.
16. Target and OriginIt has been speculated that Israel and the United States may have beeninvolved.In May 2011, the PBS program Need To Know cited a statement byGary Samore, White House Coordinator for Arms Control andWeapons of Mass Destruction, in which he said, "were glad they [theIranians] are having trouble with their centrifuge machine and that we– the US and its allies – are doing everything we can to make sure thatwe complicate matters for them", offering "winkingacknowledgement" of US involvement in Stuxnet.According to the British Daily Telegraph, a showreel that was playedat a retirement party for the head of the Israel Defence Forces(IDF), Gabi Ashkenazi, included references to Stuxnet as one of hisoperational successes as the IDF chief of staff.
17. Iran as targetBushehr Nuclear Power Plant and the Natanz nuclear facility
18. The virus worked by first causing an infected Iranian IR-1 centrifuge to increasefrom its normal operating speed of 1,064 hertz to 1,410 hertz for 15 minutesbefore returning to its normal frequency. Twenty-seven days later, the virus wentback into action, slowing the infected centrifuges down to a few hundred hertz fora full 50 minutes. The stresses from the excessive, then slower speeds, caused thealuminum centrifugal tubes to expand, often forcing parts of the centrifuges intosufficient contact with each other to destroy the machine.According to the Washington Post, International Atomic Energy Agency(IAEA) cameras installed in the Natanz facility recorded the sudden dismantlingand removal of approximately 900–1000 centrifuges during the time the Stuxnetworm was reportedly active at the plant. Iranian technicians, however, were ableto quickly replace the centrifuges and the report concluded that uraniumenrichment was likely only briefly disrupted.
19. Iran as targetOn 29 November 2010, Iranianpresident MahmoudAhmadinejad stated for the firsttime that a computer virus hadcaused problems with thecontroller handling the centrifugesat its Natanz facilities. Accordingto Reuters he told reporters at anews conference in Tehran, "Theysucceeded in creating problems fora limited number of our centrifugeswith the software they had installedin electronic parts."
20. SummaryStuxnet represents the first of many milestones in malicious code history –it is the first to exploit four 0-day vulnerabilities, compromise two digitalcertificates, and inject code into industrial control systems and hide thecode from the operator. Whether Stuxnet will usher in a new generation ofmalicious code attacks towards real-world infrastructure—overshadowingthe vast majority of current attacks affecting more virtual or individualassets—or if it is a once- in-a-decade occurrence remains to be seen.Stuxnet is of such great complexity—requiring significant resources todevelop—that few attackers will be capable of producing a similarthreat, to such an extent that we would not expect masses of threats ofsimilar in sophistication to suddenly appear. However, Stuxnet hashighlighted direct-attack attempts on critical infra-structure are possibleand not just theory or movie plotlines.